Documentation ¶
Index ¶
- Variables
- type Interface
- type Monitor
- type Register
- func (wrc *Register) Check() error
- func (wrc *Register) GetKubePolicyClusterRoleName() (*unstructured.Unstructured, error)
- func (wrc *Register) GetKubePolicyDeployment() (*apps.Deployment, *unstructured.Unstructured, error)
- func (wrc *Register) GetWebhookTimeOut() time.Duration
- func (wrc *Register) Register() error
- func (wrc *Register) Remove(cleanUp chan<- struct{})
- func (wrc *Register) Start()
- func (wrc *Register) UpdateWebhookConfigurations(configHandler config.Interface)
- func (wrc *Register) ValidateWebhookConfigurations(namespace, name string) error
Constants ¶
This section is empty.
Variables ¶
var DefaultWebhookTimeout int64 = 10
Functions ¶
This section is empty.
Types ¶
type Interface ¶ added in v1.4.0
type Interface interface { // Run starts the certManager Run(stopCh <-chan struct{}) // InitTLSPemPair initializes the TLSPemPair // it should be invoked by the leader InitTLSPemPair() // GetTLSPemPair gets the existing TLSPemPair from the secret GetTLSPemPair() (*ktls.PemPair, error) }
func NewCertManager ¶ added in v1.4.0
func NewCertManager(secretInformer informerv1.SecretInformer, kubeClient kubernetes.Interface, certRenewer *ktls.CertRenewer, log logr.Logger, stopCh <-chan struct{}) (Interface, error)
type Monitor ¶ added in v1.3.0
type Monitor struct {
// contains filtered or unexported fields
}
Monitor stores the last webhook request time and monitors registered webhooks.
If a webhook is not received in the idleCheckInterval the monitor triggers a change in the Kyverno deployment to force a webhook request. If no requests are received after idleDeadline the webhooks are deleted and re-registered.
Each instance has an in-memory flag lastSeenRequestTime, recording the last received admission timestamp by the current instance. And the latest timestamp (latestTimestamp) is recorded in the annotation of the Kyverno deployment, this annotation could be updated by any instance. If the duration from latestTimestamp is longer than idleCheckInterval, the monitor triggers an annotation update; otherwise lastSeenRequestTime is updated to latestTimestamp.
Webhook configurations are checked every tickerInterval across all instances. Currently the check only queries for the expected resource name, and does not compare other details like the webhook settings.
func NewMonitor ¶ added in v1.3.0
NewMonitor returns a new instance of webhook monitor
func (*Monitor) Run ¶ added in v1.3.0
func (t *Monitor) Run(register *Register, certRenewer *tls.CertRenewer, eventGen event.Interface, stopCh <-chan struct{})
Run runs the checker and verify the resource update
type Register ¶ added in v1.3.0
type Register struct { UpdateWebhookChan chan bool // contains filtered or unexported fields }
Register manages webhook registration. There are five webhooks: 1. Policy Validation 2. Policy Mutation 3. Resource Validation 4. Resource Mutation 5. Webhook Status Mutation
func NewRegister ¶ added in v1.3.0
func NewRegister( clientConfig *rest.Config, client *client.Client, kyvernoClient *kyvernoclient.Clientset, mwcInformer adminformers.MutatingWebhookConfigurationInformer, vwcInformer adminformers.ValidatingWebhookConfigurationInformer, resCache resourcecache.ResourceCache, kDeplInformer informers.DeploymentInformer, nsInformer coreinformers.NamespaceInformer, pInformer kyvernoinformer.ClusterPolicyInformer, npInformer kyvernoinformer.PolicyInformer, serverIP string, webhookTimeout int32, debug bool, autoUpdateWebhooks bool, stopCh <-chan struct{}, log logr.Logger) *Register
NewRegister creates new Register instance
func (*Register) Check ¶ added in v1.3.0
Check returns an error if any of the webhooks are not configured
func (*Register) GetKubePolicyClusterRoleName ¶ added in v1.5.2
func (wrc *Register) GetKubePolicyClusterRoleName() (*unstructured.Unstructured, error)
func (*Register) GetKubePolicyDeployment ¶ added in v1.3.5
func (wrc *Register) GetKubePolicyDeployment() (*apps.Deployment, *unstructured.Unstructured, error)
GetKubePolicyDeployment gets Kyverno deployment using the resource cache it does not initialize any client call
func (*Register) GetWebhookTimeOut ¶ added in v1.3.0
GetWebhookTimeOut returns the value of webhook timeout
func (*Register) Register ¶ added in v1.3.0
Register clean up the old webhooks and re-creates admission webhooks configs on cluster
func (*Register) Remove ¶ added in v1.3.0
func (wrc *Register) Remove(cleanUp chan<- struct{})
Remove removes all webhook configurations
func (*Register) UpdateWebhookConfigurations ¶ added in v1.4.0
UpdateWebhookConfigurations updates resource webhook configurations dynamically based on the UPDATEs of Kyverno ConfigMap defined in INIT_CONFIG env
it currently updates namespaceSelector only, can be extend to update other fields +deprecated